[
https://issues.apache.org/jira/browse/GEODE-10561?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jinwoo Hwang reassigned GEODE-10561:
------------------------------------
Assignee: Jinwoo Hwang
> TLS Migration : Mitigations for Public‑CA Client‑Auth EKU Removal
> -----------------------------------------------------------------
>
> Key: GEODE-10561
> URL: https://issues.apache.org/jira/browse/GEODE-10561
> Project: Geode
> Issue Type: Improvement
> Reporter: Jinwoo Hwang
> Assignee: Jinwoo Hwang
> Priority: Major
>
> h2. Summary
> Create official Apache Geode documentation that explains three supported TLS
> deployment models and migration guidance in response to the upcoming public
> CA removal of the Client Authentication EKU. The documentation will be an
> authoritative operator guide covering configuration, rotation, verification,
> and recommended automation patterns.
> Note: This guidance applies only to environments using newly issued public-CA
> mTLS certificates where the public CA's issuance does not include client CA
> certificates in the chain. If your deployment already uses an
> enterprise/internal CA or a public-CA chain that includes client CA
> certificates, no action is required; those deployments are not affected by
> this guidance and should continue to follow the internal-CA or hybrid
> guidance where appropriate.
> h2. Background
> Public Certificate Authorities are removing or changing issuance behavior for
> client-auth EKUs on publicly-issued leaf certificates. This impacts users who
> relied on public-CA-signed client certificates for mutual TLS (mTLS) with
> Apache Geode. We must produce an official doc describing viable options and
> migration steps.
> h2. Objective
> Produce a concise, reviewable doc set and a single canonical HOWTO that
> covers:
> - Option A: Internal / enterprise CA for mTLS
> - Option B: Server-only TLS + application-layer client authentication (no
> client certs)
> - Option C: Hybrid — public-CA server certs + private-CA client certs
> h2. Tasks
> * Create top-level doc `docs/TLS_MIGRATION_GUIDE.md` that aggregates content.
> * Reuse and consolidate existing drafts: `docs/INTERNAL_CA_MTLS.md`,
> `docs/SERVER_ONLY_TLS_ALT_AUTH.md`,
> `docs/SERVER_PUBLIC_CLIENT_PRIVATE_CA_HYBRID.md`.
> * Finalize and land docs in `main` and backport to supported release
> branches.
> h2. Priority & Due Date
> Priority: High — public CA policy changes have a concrete timeline. Suggest
> target: 3 weeks.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
